Pentesting: a tool for empowering – not punishing – companies

Pentesting for companies

You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not just gaining attention; they’re setting the trend.

We addressed this very topic in an article earlier this year.

What adds a dash of excitement is that DefCamp 2023, scheduled for next week, promises a lot of talk on offensive security.

In the meantime, we had the privilege of engaging in a conversation with one of Bit Sentinel’s finest Penetration Testers, Darius Moldovan. He shed some light on the changes happening in his field of work and shared insights on what it truly takes to excel as a professional in this ever-evolving domain.

Pentesting done right

When talking about an organization’s security maturity, there’s a pivotal role penetration testing plays today compared to a couple of years ago. Darius has some advice to share with small, medium and large organizations looking to engage penetration testing specialists for the first time. So: how can they maximize the value of the assessment?

The answer depends on how aware the organization is of the dangers online. The advice is to conduct regular audits regardless of the size of the company. But, from what I have observed, companies both small and large focus more on product delivery than product security. Such a short-term mentality seems to work but in reality it does not.

Nowadays we can no longer just talk about “Black Hat Hackers” especially since there is a cyber war going on. I stress that information is power. An audit by a specialist can be a smart move to prevent the theft of a company’s information.

From Darius’ experience, a series of vulnerabilities and security weaknesses consistently surfaces during his penetration tests. There are many ways organizations can address them. However, a balance between security and usability must be upheld throughout this transformative process. Additionally, the implementation of security measures, guided by the insights gleaned from penetration test findings, should be approached with a constructive mindset, steering away from a punitive stance for more effective outcomes.

The most common vulnerabilities encountered in penetration testing on web applications are usually those in the TOP OWASP 10 (Cross Site Scripting, Open Redirect, Insecure Direct Object References etc.) if we are talking about standard applications. If we are talking about custom applications, the most common vulnerabilities are those of functionality called “Business Logic vulnerabilities”, which allow an attacker to exploit security weaknesses that arise from flaws or vulnerabilities in how an application handles its core operations and business processes.

As a rule of thumb, when it comes to patching, companies should focus on vulnerabilities according to their score from critical to low – but also try to address less critical vulnerabilities since they could be used unexpectedly by a malicious actor. A well-written and easy-to-understand report will make life easier for the patcher, so the auditor’s role should not be focused on highlighting the shortcomings of a company, but instead on assisting the company in resolving as many of its issues as possible.

Never skip the “update to the latest version” message

Throughout Darius’s three-plus years of experience in penetration testing, he has encountered a spectrum of fascinating vulnerabilities. Interestingly enough, even from the most captivating vulnerability, the lesson learned remains remarkably straightforward and is a practice many companies would benefit from adopting.

One interesting vulnerability was when I discovered an application using an older version of WooCommerce. This plugin was vulnerable to CVE-2021-34646-Authentication Bypass. After a few tries, this vulnerability was not replicating, which led me to optimize the exploit publicly, managing to compromise accounts for over 300 employees. Even if sometimes the vulnerability cannot be replicated, it is good to push a bit more and develop new approaches.

A recommendation in this case was simple: the organization had to update to the latest version quickly. I have often encountered organizations that do not make it a priority to update plugins, software versions and servers constantly.

Beware: the future is reshaping penetration testing

This is a tough subject, so we needed a gentle introduction: manual vs automated pentesting – what’s your pick and why?

This is quite an interesting debate in the industry. I believe that you need both. I’ll still answer with a question, “Why do something manually when the “machine” I own can do it automatically?” What the “machine” can’t do, I will do manually and so on.

This specific word – “machine” – sparked our curiosity for the next inquiry: the intersection of penetration testing and machine learning. In a landscape continually shaped by AI, it’s safe to assume that penetration testing will undergo changes to tackle emerging threats. The lingering question revolves around the extent and specific mechanisms through which this evolution will unfold. How precisely will penetration testing integrate with machine learning to navigate the future security terrain?

My personal opinion is that the cyber field will evolve a lot in the future. But it also means that the attack surface will also grow exponentially. It’s like a scale, every increase has consequences and every consequence has a solution.

Yes, AI does reshape penetration testing. It gives pentesters a boost, but at the same time, it also enriches cyber criminal’s capabilities. This value is defined by the advanced exploitation techniques we find with AI.

Becoming a full-fledged pentester

For any aspiring penetration testers perusing this article, you’ve landed at the right place. 

Your head is probably spinning with questions: Where do I kick off? How do I keep the momentum going? Where can I level up my skills? What skills do I need to level up? And that classic self-doubt – am I good enough? 

We know it gets overwhelming. Darius knows as well. Fortunately, you’re in good hands – he’s been through it all and is now dropping some seriously cool tips and tricks that turned him into the professional he is today. 

For people who are interested in a career as an “ethical hacker”, it is essential to think outside the box. What does this mean? It’s simple: think of a physical “pen”. What can you do with a pen? Write correctly, but you can also draw or hurt a human, depending on your thoughts. This mentality is similar when it comes to “hacking”. You can use an application for its designated purpose. Or you can change the functionality altogether to accomplish some task.

As far as capturing the flag competitions go, I obviously recommend DefCamp Capture the Flag (D-CTF) for people with more advanced knowledge in the field. For newbies, I recommend UNbreakable Romania or PICO-CTF, as well as platforms like CyberEDU, HackTheBox and TryHackMe.

Three most important pieces of advice to our red team readers to improve their pentesting skills:

  • Don’t listen to negative opinions about a certification – the frustration and drama in this area is high. Do you have a dream to get “X” certification? Then do it.
  • CTFs suck. Well, I say they suck. But you will still learn a lot. So do it.
  • Bug bounty is unjust – big time. You will not get a bounty maybe in 6 months. However, you will get experience and a new mindset. So do it and be patient.

    And because DefCamp 2023 is just around the corner…

    Darius has been a regular at DefCamp for a while now. So we thought he’d be the right person to give some insights on why YOU should join the conference, the community & the experience: 

    DefCamp has the best food. Also, there are a lot of physical scenarios like: lock picking, OSINT, hardware hacking and more. Another thing is networking: you have access to meet a lot of technical hackers and interesting people. Just go to people and say “Hi” – they love this! We are waiting for you at Defcamp!

    What more can we say?

    Get your DefCamp ticket and join us on November 23-24. Don’t miss this chance to be part of one of the most exciting cybersecurity events of the year!

    We take this opportunity to mention that DefCamp 2023 is powered by Orange Romania. Moreover, this edition is possible with the support of our main partners: Bit Sentinel, Booking Holdings Center of Excellence, Keysight Technologies Romania, the National Institute for Research and Development in Informatics – ICI Bucharest, FORT, OPSWAT, Pentest-Tools.com, MSD, TwelveSec, Bitdefender, Superbet x Happening, KPMG, Siemens and CyberEDU.

     

      Related articles​

      One week left until the DefCamp Capture the Flag ..

      BY Adina Harabagiu
      We know there’s a lot happening at DefCamp this year, with so many activities and preparations underway ..

      5 reasons to attend DefCamp 2024 at the Palace of ..

      BY Adina Harabagiu
      There is no secret that DefCamp is coming back stronger every year, with new and exciting people and ..

      Keeping up with cybersecurity: DefCamp is back ..

      BY Adina Harabagiu
      On May 16-17, we had an amazing time in Cluj-Napoca, hosting the very first spin-off edition of DefCamp. Q: ..